.png)
Oracle Health Breach 2025: Patient Data Exposed During Cerner Cloud Migration
In early 2025, Oracle Health — the healthcare division of Oracle formed through its $28 billion acquisition of Cerner — disclosed a breach of its legacy Cerner data migration servers that exposed patient health data from dozens of US hospital systems. The breach highlighted a specific and underappreciated risk in major M&A transactions: the security posture of legacy systems during data migration is often significantly weaker than either the acquiring company's production environment or the target's pre-acquisition systems.
Oracle notified affected hospital customers in February 2025, weeks after the breach was discovered. The company confirmed that an unauthorized party had accessed Cerner legacy migration servers and obtained patient data. The FBI was engaged. Oracle's communication to hospital customers was characterized as insufficient by several healthcare system executives who spoke publicly about the incident. The breach affected an undisclosed number of US hospitals who had their Cerner EHR data in Oracle's migration environment. Congressional inquiries into Oracle's notification practices were opened in the spring of 2025.
The attacker gained access to Cerner legacy servers that Oracle was using to migrate hospital patient data to Oracle Cloud. These servers, maintained in a transitional state during migration, were not subject to Oracle's standard cloud security controls and retained configurations from the Cerner environment. The attacker accessed these servers and exfiltrated patient data before the migration was complete. The breach affected an unknown number of hospitals who had contracted with Oracle Health for EHR and data services. Oracle's initial response was criticized for lack of transparency with affected hospital customers.
The Oracle Health breach established that M&A data migration periods represent a distinct, elevated security risk window. When systems are in transition, they often lack both the security controls of their origin environment and the controls of their destination environment. The migration state is the moment of maximum vulnerability. Any PE sponsor overseeing a post-close technology integration must treat data migration as a security-critical project requiring dedicated security oversight, not just IT project management. The breach also reinforced that healthcare data liability follows the data, not the corporate structure — Oracle inherited Cerner's data obligations and bore the breach consequences.
For PE sponsors managing post-close technology integrations, the Oracle Health breach is the canonical case for data migration security investment. The migration window — when systems exist in transitional states — is when security controls are most likely to have gaps. Post-close integration security assessment must include explicit evaluation of what data is being migrated, through what systems, with what access controls, and monitored by whom during the transition.